System and methodology providing multi-tier-security for network data exchange with industrial control components

ABSTRACT

The present invention relates to a system and methodology facilitating network security and data access in an industrial control environment. An industrial control system is provided that includes an industrial controller to communicate with a network. At least one security layer can be configured in the industrial controller, wherein the security layer can be associated with one or more security components to control and/or restrict data access to the controller. An operating system manages the security layer in accordance with a processor to limit or mitigate communications from the network based upon the configured security layer or layers.

TECHNICAL FIELD

The present invention relates generally to industrial control systems,and more particularly to a system and methodology to facilitate datatransfers between a plurality of industrial control components inaccordance with a multi-tier security architecture.

BACKGROUND OF THE INVENTION

Industrial control systems have enabled modern factories to becomepartially or completely automated in many circumstances. These systemsgenerally include a plurality of Input and Output (I/O) modules thatinterface at a device level to switches, contactors, relays andsolenoids along with analog control to provide more complex functionssuch as Proportional, Integral and Derivative (PID) control.Communications have also been integrated within the systems, wherebymany industrial controllers can communicate via network technologiessuch as Ethernet, Control Net, Device Net or other network protocols andalso communicate to higher level computing systems. Industrialcontrollers utilize the aforementioned technologies along with othertechnology to control multiple applications ranging from complex andhighly distributed to more traditional and repetitious applications.

At the core of the industrial control system, is a logic processor suchas a Programmable Logic Controller (PLC). Programmable Logic Controllersare programmed by systems designers to operate manufacturing processesvia user-designed logic programs or user programs. The user programs arestored in memory and generally executed by the PLC in a sequentialmanner although instruction jumping, looping and interrupt routines, forexample, are also common. Associated with the user program are aplurality of memory elements or variables that provide dynamics to PLCoperations and programs. These variables can be user-defined and can bedefined as bits, bytes, words, integers, floating point numbers, timers,counters and/or other data types to name but a few examples.

Various remote applications or systems often attempt to update and/oracquire PLC information or related device information via a plurality ofdifferent, competing and often incompatible or insecure networktechnologies. A major concern with this type of access to PLC's andcontrol systems in general, relates to the amount of security that isprovided when sending or receiving data to and from the PLC. In mostfactories or industrial environments, complex and sometimes dangerousoperations are performed in a given manufacturing setting. Thus, if anetwork-connected controller were inadvertently accessed, or even worse,intentional sabotage were to occur by a rogue machine or individual,potentially harmful results can occur.

One attempt at providing security in industrial control systems relatesto simple password protection to limit access to the systems. This cantake the form of a plant or controls Engineer or Administrator enteringan alpha-numeric string that is typed by an operator each time access isattempted, wherein the controller grants access based on a successfultyping of the password. These type passwords are highly prone to attackor discovery, however. Often times, users employ passwords that arerelatively easy to determine (e.g., person's name or birthday).Sometimes, users exchange passwords with other users, whereby thepassword is overheard or simply, a user with improper authorizationcomes in contact with the password. Even if a somewhat higher level ofsecurity is provided, parties employing sophisticated hacking techniquescan often penetrate sensitive control systems, whereby access should belimited to authorized users in order to mitigate potentially harmfulconsequences.

SUMMARY OF THE INVENTION

The following presents a simplified summary of the invention in order toprovide a basic understanding of some aspects of the invention. Thissummary is not an extensive overview of the invention. It is intended toneither identify key or critical elements of the invention nor delineatethe scope of the invention. Its sole purpose is to present some conceptsof the invention in a simplified form as a prelude to the more detaileddescription that is presented later.

The present invention relates to a system and methodology to provide amulti-tiered security framework that mitigates unauthorized data accesswithin an industrial controller environment. A layered and adaptablesecurity architecture is provided in a Programmable Logic Controller(PLC) or PC-based controller and/or in conjunction with a module/systemexchanging data with the controller. The security architecture caninclude a plurality of configurable security layers having associatedsecurity components to facilitate adapting the PLC to a desired securitylevel in accordance with a variety of different applications. Forexample, in a lower-level application such as a monitoring application,fewer security layers may be configured to mitigate PLC data access thanin a more sensitive application that controls potentially dangerousmanufacturing operations (e.g., dangerous if unauthorized accesspermitted).

Security layers can include a trust component to provide machineauthentication, an encryption component to provide user authentication,authorization, and data encryption, and a policy component to facilitatevarying levels of data access (e.g., restrict data access of specifiedmachines and/or persons according to selected security policies). Otheraspects can include enabling one or more virus detection components toanalyze received data, providing segmented security areas within thecontroller having various security mappings or permissions, andmaintaining subnet lists specifying valid machine and/or data accessaddresses. Still other security layers can include virtual privatenetworks mitigating unauthorized controller access, encapsulationprotocols shielding underlying control protocols, and LAN-locked layersmitigating controller access from public networks.

In accordance with one aspect of the present invention, securitycomponents such as public keys and trusted certificates can be providedto establish a trust between network-based components attempting tocommunicate within an industrial controller environment. This caninclude employment of such security components as an Internet KeyExchange (IKE), Internet Protocol Security (IPSEC), Kerberos, one ormore security policies, Secure Socket Layers (SSL) and/or other securitycomponents in order to limit data access by non-trusted parties.Encryption technologies can be employed in establishing trustrelationships, mitigating unwanted data access of private data, andencapsulating control data within a security packet. This can includeencapsulating local and/or other network protocols within an encryptedtransmission stream that includes such protocols as Ethernet (e.g.,IEEE802.3, TCP/IP, UDP, EtherNet/IP, and so forth), ControlNet®,DeviceNet®, Data Highway (DH)DH+, CIP, and/or other network protocols(e.g., Foundation Fieldbus (H1 and Fast Ethernet) Modbus/TCP, Profibus).Industrial components communicating via networks can be configured inaccordance with one or more desired levels of security and/or securitylayers. Security layers can be selected in various combinations withrespective layers having one or more associated security components.Data access can be stringently or generously permitted (or there betweenif desired) according to the selected security layer, layer combination,and/or security components associated with respective layers.

The following description and the annexed drawings set forth in detailcertain illustrative aspects of the invention. These aspects areindicative, however, of but a few of the various ways in which theprinciples of the invention may be employed and the present invention isintended to include all such aspects and their equivalents. Otheradvantages and novel features of the invention will become apparent fromthe following detailed description of the invention when considered inconjunction with the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic block diagram illustrating an industrialcontroller and a multi-tier security architecture in accordance with anaspect of the present invention.

FIG. 2 is a schematic block diagram illustrating an industrial controlarchitecture and associated security components in accordance with anaspect of the present invention.

FIG. 3 is a schematic block diagram illustrating a security negotiationexchange and associated components in accordance with an aspect of thepresent invention.

FIG. 4 is a schematic block diagram illustrating a security policy storeand associated parameters in accordance with an aspect of the presentinvention.

FIG. 5 is a diagram illustrating security policy configurations inaccordance with an aspect of the present invention.

FIG. 6 is a schematic block diagram illustrating a virtual privatenetwork configuration in accordance with an aspect of the presentinvention.

FIG. 7 is a diagram illustrating virus detection components inaccordance with an aspect of the present invention.

FIG. 8 is a schematic block diagram illustrating a segmented securityarchitecture in accordance with an aspect of the present invention.

FIG. 9 is a schematic block diagram illustrating security componentconfiguration in accordance with the present invention.

FIG. 10 is a schematic block diagram illustrating a locking component inaccordance with the present invention.

FIG. 11 is a diagram illustrating security encapsulation in accordancewith the present invention.

FIG. 12 is a flow diagram illustrating security layer and componentconfiguration in accordance with the present invention.

DETAILED DESCRIPTION OF THE INVENTION

The present invention relates to a system and methodology facilitatingnetwork security and data access in an industrial control environment.An industrial control system is provided that includes an industrialcontroller (e.g., PLC, PC-based controller or equivalent) to communicatewith a network such as the Internet. Security layers can be configuredin the industrial controller, wherein the layers can be associated withone or more security components to control and/or restrict data accessto the controller and/or data access to components associated with thecontroller. An operating system manages the security layers inaccordance with a processor to limit or mitigate communications from thenetwork based upon the configured security layers.

Referring initially to FIG. 1, an industrial control and multi-tiersecurity system 10 is illustrated in accordance with an aspect of thepresent invention. The system 10 includes an industrial controller 20communicating to one or more remote systems 24-28 across a local factoryand/or a public network 30 such as the Internet. A processor 34 (orprocessors) in the controller 20 directs an associated operating system38 that is part of larger memory subsystem in the controller. Theoperating system 38 (e.g., Microsoft® Windows® NT/2000/XP, Windows CE,Linux, .NET, OS-9, UNIX, VRTX, QNX, VxWorks, CE.NET, custom-designed) inconnection with the processor 34 manage a layered security component 44in order to mitigate un-secure, unauthorized and/or unauthenticatedaccess from the network 30 and associated remote systems 24-28. Thelayered security component 44 includes 1 to M layers of configurable andselectable security protocols, M being an integer, wherein respectivelayers can include one or more security components that are described inmore detail below.

It is noted that the layered security component 44 can reside in thecontroller 20 and/or reside outside of the controller such as in anassociated communications module or server (not shown) in order to limitcommunications access to the controller. In addition, the remote systems24-28 can employ different levels of security to gain access to thecontroller 20, wherein the controller maintains various configurationsdepending on the type of remote system attempting access (e.g., remotesystem₁ is a local system adapted with a lower security level thanremote system₂ attempting data access over a public network). Thecontroller 20 can also communicate to various Input/Output subsystems 50and/or other networks (e.g., Analog, Digital, Programmed/Intelligent I/Omodules, other programmable controllers, communications modules,networks). It is also noted that communications to the I/O subsystems 50and/or within the controller 20 can include varying securityconfigurations per a selected module (or module grouping) and/orselected memory area, address, and/or address range within thecontroller (e.g., one module is configured for higher security levels(e.g., engages more security layers) than another module).

The layered security component 44 having associated security layers andsecurity components, provides a multi-tier and configurable securityarchitecture for the industrial controller system 10. Thus, controlsystem users can select a desired security level based upon a type(e.g., type of security components selected per a given layer) andnumber of security layers selected. As one particular example, one usermay configure three security layers that limit access to the controller20 (or components within/associated with controller), whereas a seconduser may configure five security layers to limit access, whereby therespective layers have one or more various and/or different securitycomponents configured. It is noted that security configurations can beprovided in a plurality of different manners. For example, a pluralityof security components can be stored in accordance with the operatingsystem and associated memory subsystem 38, wherein a designated layer(e.g., user interface editing parameters for layer₁) is assigned one ormore of the stored security components. In another aspect, FLASH memorycan be provided at 38, wherein prospective security configurations aredownloaded to the controller 20. Yet another aspect includes replacingor changing portions of the memory subsystem 38 in accordance with adesired security setting or mapping. As will be described in more detailbelow, security components can include trust components, encryptioncomponents, policy components, and/or other components that can beselected in accordance with the layered security component 44.

Referring now to FIG. 2, a system 100 illustrates an industrial controlarchitecture and associated security components in accordance with anaspect of the present invention. A remote system 120 sends and/orreceives data to a controller 130 or other module or system intercedingon behalf of the controller. Data access can include remote/localnetwork access, wireless, Ir/DA (infra red data link), Virtual PrivateNetwork (VPN), phone dial-up, and/or substantially any data access tothe controller 130 from the remote system 120. In accordance with oneaspect of the present invention, a user 134 may seek access to remoteresources of the controller 130 (e.g., database, modules) via the remotesystem 120. For example, the user 134 may dial in via a phone line ornetwork connection 136 to the remote system 120. Before the user cangain access to the controller 130, however, a trust relationship 140 isestablished between the remote system 120 and the controller. A firstand second bust component 142 and 144 are provided to authenticate (e.g.establish security agreement) the trust relationship 140 between theremote system or systems 120 and the controller 130. The trustcomponents 142 and 144 can include a policy component such as anInternet Key Exchange (IKE) component. Certificates and/or Kerberos, forexample, can be utilized to establish the trust relationship 140. It isnoted that shared secrets can be automatically exchanged to establishthe trust 140, for example.

According to one aspect of the present invention, the trust 140 may beestablished according to the Public Key Infrastructure (PKI)-PKI isreadily understood by those of ordinary skill in the art and isgenerally defined by the Internet Engineering Task Force (IETF). As willbe described in more detail below, a certificate (not shown) may beissued to or from the controller 130 that defines the trust relationshipwith the remote system 120. The certificate may include such informationas an identifier field, a public key field, a serial number (of thecertificate) activation, expiration date and digital signature field. Inaccordance with an alternative aspect of the present invention, Kerberosmay be employed to facilitate the trust relationship 140. Kerberos isreadily understood by those of ordinary skill in the art and isgenerally defined by the IETF. Kerberos operates by providing principals(e.g. users or services) with tickets that may be utilized to identifythe principals. The tickets provide a cryptographic sequence of bytes tofacilitate the trust relationship 140. As will be described in moredetail below in relation to FIG. 6, Kerberos may also be employed tomanage internal factory networks associated with the controller 130.

In conjunction with establishing the trust relationship 140, asubstantially secure data channel 148 is provided between the remotesystem 120 and the controller 130. A first and second encryptioncomponent 152 and 154 provide data encryption for the secure datachannel 148. According to one aspect of the present invention, anInternet Protocol Security (IPSEC) protocol may be employed to providesubstantially secure data between remote systems and the controller 130.IPSEC is readily understood by those of ordinary skill in the art andspecified by the IETF. As will be described in more detail below, IPSECfacilitates private and secure communications over public communicationschannels such as the Internet. By utilizing IPSEC, security issuesassociated with conventional control systems are mitigated.

According to an alternative aspect of the present invention, a SecureSockets Layer (SSL) protocol specified by the IETF, may be employed bythe encryption components 152 and 154. A goal of the SSL Protocol is toprovide privacy and reliability between two communicating applications.The protocol can be composed of two layers, for example. At the lowestlevel, layered on top of a common transport protocol (e.g., TCP[TCP]),is an SSL Record Protocol. The SSL Record Protocol is employed forencapsulation of various higher-level protocols. One such encapsulatedprotocol, an SSL Handshake Protocol, enables the first and second systemto authenticate each other and to negotiate an encryption algorithm andcryptographic keys before an application protocol transmits or receivesits first byte of data. An advantage of SSL is that it is applicationprotocol independent. It is noted that a higher-level protocol can layeron top of the SSL or IPSEC Protocol transparently.

The controller 130 includes a processor and associated memory component164 to facilitate user authentication and authorization between theremote system 120 and the controller 130. For example, a useraccess-request (e.g., remote request to access controller resources) maybe received from the user 134 or remote system 120 and directed to theprocessor 160 to authenticate and authorize the user via the encrypteddata channel 148. After the remote system and/or user 134 has beenauthenticated and authorized, the user or system can then be permittedaccess to the controller 130. It is noted that authentication refers toa determination that a purported user or system is whom they claim tobe. Authorization is a process of verifying that a user or system hasbeen authorized by the controller 130 to access controller resources. Itis further noted that authorization can include enabling partial and/orconstrained access to one or more portions of the controller 130. Forexample, the controller 130 may desire to limit access of confidentialdata locations from designated users who may need only access a portionof the resources, yet enable the designated users access to otherresources or portions thereof.

Turning now to FIG. 3, a system 180 illustrates a more detailed securitysystem according to one particular aspect of the present invention. Asnoted above, before user and/or machine authentication and authorizationoccurs, a trust and encryption should be established between a remotesystem 182 and a controller 184 via a trust subsystem 200. In addition,one or more of the security components discussed can be selected andconfigured within a security layer or layers according to a desiredsecurity level as described above.

The trust subsystem 200 includes an Internet Key Exchange (IKE)subsystem 220 and 222 for securing network traffic 238 between systems182 and 184. As will be described in more detail below, the trustsubsystem 200 may also include policy modules 224 and 226 to enableconfiguration of the IKE subsystems 220 and 222. The policy modules 224and 226 can also provide security configuration information to InternetProtocol Security (IPSEC) drivers 230 and 232 that communicate viaTCP/IP drivers 234 and 236 (or other network drivers) thereby enablingsubstantially secure network traffic 238 between the systems 182 and184. A negotiation phase, referred to as Main Mode 242 is initiatedbetween the IKE subsystems 220 and 222 in order to establish a machinelevel trust between the parties. A second negotiation phase known asQuick Mode 244 that utilizes keying material derived in Main Mode 242 isemployed to provide a secure data channel 246 between the parties. Asdescribed above, an SSL protocol may be utilized in place of IPSEC toprovide the secure data channel 246.

The policy modules 224 and 226, retrieve IPSEC policy (illustrated belowin FIG. 4) from a local memory, directory domain, a configured set oflocal policies, or from a local cache. The policy modules 224, 226 thendistribute authentication and security settings to the IKE modules 220,222, and filters, described below, to the IPSEC Drivers 230 and 232. TheIKE modules 220, 222 receive authentication and security settings fromthe policy modules 224, 226 and wait for requests to negotiate IPSECsecurity associations (SAs). When requested by the IPSEC Drivers 230,232 the IKE modules 220, 222 may negotiate two types of SAs, forexample, (e.g., an ISAKMP SA and an IPSEC SA, described below) with asuitable endpoint based on the request of the IPSEC Drivers 230, 232 andpolicy settings obtained from the policy modules 224, 226. After anIPSEC SA is negotiated, for example, the IKE module 220, 222 sends theSA settings to the IPSEC Drivers 230, 232. The IPSEC Drivers generallymonitor and secure unicast network traffic. After filters are receivedfrom the policy modules 224, 226, the IPSEC Drivers 230, 232 determinewhich packets are permitted, blocked, or secured. For secure traffic,the IPSEC Drivers 230, 232 either employs active SA settings to securethe traffic or requests that new SAs be created. The IPSEC Drivers 230,232 may be bound to the TCP/IP Drivers 234, 236 when the policy modules224, 226 begin to provide IPSEC processing for data packets that passthrough the TCP/IP Drivers 234, 236.

Referring briefly to FIG. 4, IPSEC policies 250 and filters associatedwith the policy modules 224 and 226 described above will now bedescribed in more detail. The IPSEC policy 250 may be contained in adata storage (not shown) associated with the policy modules 224, 226.The data in the policy 250 represents a desired protection for trafficbetween devices such as controllers and remote systems on a network. Thedata is made up of various attributes related to the parties (e.g., IPaddress and port number), the communication methods supported (e.g.,algorithms and key lengths), IKE key negotiation and management, anduser-defined settings for other type access described below in relationto FIG. 5.

The IPSEC policy 250 may include the following information:

Policy-wide parameters—Includes polling intervals employed to detectchanges in policy.

ISAKMP policy—Contains IKE parameters, such as encryption key lifetimes,and other settings. The ISAKMP policy also contains a list of securitymethods for protecting the identity of IPSEC peers duringauthentication.

IPSEC rules—Contains one or more rules that describe IPSEC behavior forthe policy.

IPSEC rules are the part of the policy data that is employed toassociate IKE negotiation parameters with one or more filters.

Respective IPSEC rules may include the following:

Filter List—Contains one or multiple predefined filters that describethe types of traffic to which an action (permit, block, or secure) isapplied.

Filter Action—Includes the type of action to take (permit, block, orsecure) for packets matching the filter list. For the secure action, thenegotiation data contains one or more security methods that are employedin order of preference during IKE negotiations and other IPSEC behaviorsettings. Respective security methods describe a security protocol touse, cryptographic algorithms, and session key regeneration settings.Authentication Method(s)—Contains one or more authentication methodsthat are utilized for protection during IKE negotiations. For example,such authentication methods may be related to a Kerberos protocol, acertificate issued from a specified certificate authority, and/or apreshared key.Tunnel Endpoint—Contains settings that determine whether traffic istunneled and, if it is, the tunnel endpoint.Connection Type—Contains a setting that specifies whether a rule appliesto local area network (LAN) connections, to Point-to-Point Protocol(PPP)-based connections, to both types of connections, or to other typeconnections.

Filters are generally part of the policy data employed to specifynetwork connection information. One or more filters are associated withnegotiation data; defining which security measures are utilized toprotect network connections that match the filter. The policy modules224 and 226 process filters obtained from the IPSEC policy. The policymodules maintain a list of filters for the IPSEC components and providea filter list to the IPSEC drivers 230, 236. The policy modules 224, 226manage a filter list that includes items corresponding to respectivefilters configured in the IPSEC policy and a generic filter and mirroredfilters. Items in the list can include the following information:Network address data,

Source/destination address, source/destination mask, source/destinationport, and protocol,

The determination of whether the filter is for a tunnel and, if it is,its address,

The rule ID for the filter,

Flags indicating:

-   -   Whether the filter should be mirrored    -   Whether the filter was provided to the IPSEC Driver    -   Whether the filter is instantiated from a more generic filter    -   Whether the filter is dynamic    -   Whether the filter is blocking, clear, or pass through    -   The direction of the filter    -   The weight of the filter    -   The type of interface that the filter supports    -   The parent filter ID (if instantiated)

It is noted, that when the filter has a mirror, a copy of the filter iscreated and the source and destination addresses are swapped. It is tobe appreciated that the above described policies can be adapted in alocal and/or remote user orientation. For example, of a user were inproximity of the controller (e.g., line of site with the controller) theuser may have different rights, policies, rules established/configuredthan the same or other user attempting access to the controller in aremote location.

Referring back to FIG. 3, the IKE modules, 222, 224 andinterrelationships of Main Mode 242 and Quick Mode 244 are described inmore detail. The IKE modules 220, 222 re employed to establish acombination of mutually agreeable policy and keys that define securityservices, protection mechanisms, and cryptographic keys betweencommunicating peers such as the remote system 182 and the controller184. This combination may be referred to as a security association (SA).The SA is employed by the IPSEC Driver to protect corresponding networktraffic 238.

To create an SA between systems, the IETF has established a standardmethod of SA and key exchange resolution, which combines InternetSecurity Association and Key Management Protocol (ISAKMP) and an OakleyKey Determination Protocol. This standard method is IKE and is describedby the IETF. Oakley generates and manages authenticated keys to encryptand decrypt the information for both negotiations utilizing aDiffie-Hellman key exchange protocol, for example.

The Oakley standard provides the Main/Quick modes as is well understood.Main Mode 242 provides for new key generation material and a newencryption key, wherein the Quick Mode 244 negotiations are derived fromthe Main Mode negotiations 242. The Main Mode negotiations 242 establisha secure channel known as the ISAKMP SA between systems for the purposeof protecting security negotiations. To achieve this, the IKE modules220 and 222 authenticate computer identities and exchange keyingmaterial to establish an automatically generated shared secret key. TheMain Mode 242 provides the necessary identity protection during thisexchange. This enables privacy by facilitating that identity informationis not sent without encryption between communicating systems. Quick Modenegotiations 144 establish a secure channel 246 between the systems 182and 184 for the purpose of protecting data. Because this negotiationphase involves the establishment of SAs that are negotiated on behalf ofthe IPSEC service, the SA created in Quick Mode is referred to as anIPSEC SA. During this phase, keying material is refreshed or, ifnecessary, new keys are generated.

After an SA has been established, the IKE modules 220, 222 send the SAand the shared encryption key to the IPSEC Drivers 230, 232 for use inprotecting network traffic. The IKE module or the IPSEC Driver mayinitiate re-keying based on duration lifetime, byte count lifetime,and/or policy changes, for example. The IKE modules 220, 222 performMain Mode negotiations with a peer system to establish protection suitesand keys for subsequent use in protecting Quick Mode IKE communications.Main Mode Negotiation may occur in three parts: Negotiation ofprotection suites, A Diffie-Hellman exchange, and machineauthentication, for example. ISAKMP payloads may be associated withinmessages relating to Main Mode 142. These payloads may be related asfollows: A Security Association, a key exchange, and identification (ID)payload.

A first Security Association payload is a list of proposed protectionsuites for the ISAKMP SA sent by a network system initiator of thedesired communications. A second Security Association payload sent in areply message is a specific protection suite for the ISAKMP SA that iscommon to both IPSEC network systems. It is selected by a respondernetwork system. The Key Exchange payload may be sent in a third messageby the initiator and in a fourth message by the responder and containsDiffie-Hellman key determination information for the Diffie-Hellman keyexchange process. The ID payload contains a nonce, which is apseudorandom number that is utilized once. The initiator and respondernetwork systems each send their own unique nonces. Nonces are employedto provide replay protection.

When initiating an IKE exchange, the IKE modules 220, 222 proposeprotection suites based on the applied security policy. Proposedprotection suites can include attributes for encryption algorithms, hashalgorithms, authentication methods, and Diffie-Hellman Oakley groups.The following Table lists some exemplary protection suite attributevalues that are supported by the IKE modules 220, 222. It is to beappreciated that other attributes and values may be included.

Attribute Attribute Value Encryption algorithm DES, 3DES Integrityalgorithm MD5, SHA-1 Authentication method Kerberos, preshared key,certificate Diffie-Hellman group Group 1 (768-bit), Group 2 (1024-bit)

The initiating IKE module (e.g., module 220) proposes one or moreprotection suites in a similar order as they may appear in the appliedsecurity policy. If one of the protection suites is acceptable to theresponding IKE peer (e.g., module 222) the responder selects one of themfor use and responds to the initiator with its choice. After aprotection suite has been negotiated, the IKE modules 220, 222 generatea Diffie-Hellman public and private key pair based on the negotiatedDiffie-Hellman Oakley group. The IKE modules select a firstDiffie-Hellman CSP found by searching in the following order ofpreference by CSP type: The cryptographic strength of a Diffie-Hellmankey pair is related to its prime number length (key size).Diffie-Hellman groups with the following lengths can be defined: Group 1is 768 bits, Group 2 is 1024 bits, Group 5 is 1536 bits. The IKE modules220, 222 support a plurality of methods for authentication. For example,these methods may include Kerberos, Certificate-based digital signature,and/or Preshared key.

Upon the completion of Main Mode negotiations 242, or the expiration ofa Quick Mode SA, the Quick Mode negotiation 244 is initiated. The IKEmodules 220, 222 query the policy modules 224, 226 to determineappropriate filter actions, including whether a link is tunnel ortransport, the protocol, and the encryption and hashing algorithms areproposed or accepted. Quick Mode negotiation messages may be protectedwith the ISAKMP SA established during Main Mode. Each successful QuickMode SA negotiation generally establishes two IPSEC SAs. One is inboundand the other is outbound, for example. The following Table listspossible messages exchanged by IPSEC peers during Quick Modenegotiations 244.

Quick Mode Message Sender Payload 1* Initiator ISAKMP header, SecurityAssociation (contains proposals and secure traffic description) 2*Responder ISAKMP header, Security Association (contains a selectedproposal) 3* Initiator ISAKMP header, Hash 4* Responder ISAKMP header,Notification

Some of the possible related filter action choices described above arelisted in the following Table.

Filter Action Choices ESP Encryption/Integrity Algorithm AH High DES/MD5None Medium None MD5 Custom DES, 3DES, or none/MD5, SHA-1, or MD5 orSHA-1 none

The IKE modules 220, 222 generate session keys for both the inbound andoutbound IPSEC SAs based on the Main Mode shared master key and noncematerial exchanged during the Quick Mode negotiations. Additionally,Diffie-Heliman key exchange material can also be exchanged and utilizedto enhance the cryptographic strength of the IPSEC session key.

Referring now to FIG. 5, security policy configurations are illustratedin accordance with an aspect of the present invention. At 300, acontroller is illustrated having a security component 310 that isconfigured in part from a user policy store at 320. As described above,security policies can be utilized to facilitate authentication,encryption, and/or other security aspects via a plurality of associatedmethods and filters. At 320, users can configure system-based policiesand associated rules for granting or permitting/denying access to thecontroller 300 and/or components associated with the controller.User-defined policies can include a plurality of access variables thatdefine a manner for which data access is granted by the controller 300.This can include time-based policies (e.g., no access given to anyexternal system from 9:00 AM EST until 5:00 PM EST, read access grantedto tier-3 layer devices after 6:00 PM PST). Location-based policies canbe defined. For example, only devices from internal factory IP addressespermitted access, requests from outside the United States not permitted,designated factory locations granted access. User-designated policiescan be configured such as lists that define people or IP addresseshaving proper/improper authorization to access the controller (e.g.,only Controls Engineers on list in user policy store can accesscontroller, designated maintenance people or management, substantiallyany person/machine classification, people listed that are to be excludedfrom access). Process-based policies can be defined such that duringspecified controls processes or programs, higher-level security measuresor layers are employed, whereas during other processes, lower-levelsecurity layers are employed. As can be appreciated, logical rules canbe established for a selected policy or combinations of policies. Therules can include AND, OR, NOT and substantially any BOOLEAN ormathematical combination (e.g., If it is after 5:00 CST, AND process 2is running, permit access to operator A OR operator B, from Location ZOR Location Y).

Turning now to FIG. 6, a system 360 depicts a private network orIntranet structure wherein a negotiated trust can be employed inaccordance with the present invention. The system 360 may include acontroller 364 and a plurality of devices 374-378 configured withsecurity components for communicating within a virtual private network(VPN) 384. The VPN 384 is a private data network that can employ apublic telecommunication infrastructure, maintaining privacy through theutilization of a tunneling protocol and security procedures, asdescribed above. This can involve encrypting data before sending itthrough the public network (not shown) and decrypting data at areceiving end. An additional level of security involves encrypting notonly the data but also the originating and receiving network addresses,for example. Relative to the Internet, for example, tunneling involvesutilizing the Internet as part of a private secure network. The “tunnel”can be viewed as a particular path that a given message, file and/ordata may travel through the Internet.

In accordance with an aspect of the present invention, a trust may beestablished between the controller 364 and the other VPN devices374-378. The trust may be established via Kerberos (or other securitytechnique), for example, which provides for authenticating accesses tothe controller 364. As discussed above, Kerberos is a networkauthentication system based upon a key distribution model. It enablesentities communicating over networks to prove their identity to eachother while mitigating eavesdropping or replay attacks. Kerberos alsoprovides for data stream integrity (e.g., detection of modification) andsecrecy (e.g., preventing unauthorized reading) by employingcryptography. According to Kerberos protocol, a ticket may be providedwherein the VPN devices (364, 374-378) may identify themselves. A ticketmay be a sequence of bytes and may be imbedded in virtually any networkprotocol thereby enabling the processes implementing a particularprotocol to determine the identity of the entities involved (e.g.,controller, communications modules, other VPN devices).

Turning now to FIG. 7, a system 400 illustrates virus detection aspectsin accordance with the present invention. One or more remote systems 410interact with a controller 420 (or communications module interfacing tocontroller) over a network 424. At 430, one or more virus detectioncomponents 430 are provided to analyze and discard potentially harmfulfiles or data that can be detected and received from the network 424.Viruses generally cannot infect other components such as computers orcontrollers without assistance and can be propagated by vectors such asvia humans trading programs with others or loading files from theInternet, for example. The virus may do nothing but propagate itself andthen allow a controller program to run normally. Many viruses, writtenby potential saboteurs, can do irreversible damage, like deleting alluser files or data. The virus detection components 430 can includeprograms to detect and remove controller viruses. Some detectionprograms scan executable files and boot blocks for a list of knownviruses. Other programs are generally always active, attempting todetect the actions of general classes of viruses. In addition the virusdetection components 430 should include a regular update service inorder to become current with the latest viruses as they are discovered.The virus detection components 430 can be commercially availablepackages (e.g., Norton, Sophos, eTrust), custom-coded packages to detectknown controller viruses, and/or combinations thereof.

Referring now to FIG. 8, a segmented security system 500 is illustratedin accordance with an aspect of the present invention. A controller 510can be segmented in a plurality of security areas A1 through AY, Y beingan integer, wherein respective areas can be identified with anassociated security layer or layers having respective securitycomponents. As an example, area A₁ can be a sensitive data areacontaining batch processing variables, wherein several security layersand associated security components must be negotiated before gainingaccess to A₁. On the other hand, area A₂ may be a non-critical area(e.g., process display variables) whereby relatively few security layersare configured. This type of security segmentation and assignment ofsecurity layers can be extended to I/O modules 520 and/or othermodules/networks that interact with the controller 510. For example, 1through X modules may be associated with (e.g., in a policy store oncontroller) a respective security configuration defining the securitylayers and associated components that are to be negotiated with thecontroller 510 in order to gain access to a respective module. Thus, thesystem 500 enables security layers and associated security components tobe mapped to respective areas in the controller 510 and/or in relationto I/O or other type modules that interact with the controller.

Referring to FIG. 9, a system 600 illustrates security configuration inaccordance with an aspect of the present invention. A controller 610includes a security layer store at 620. The security layer storeincludes 1 to L security layers, L being an integer, wherein respectivelayers are associated with or mapped to one or more security componentsthat are stored in a security component store at 630. As noted above,the security components at 630 can be stored on the controller 610,downloaded to the controller, and/or provided as part of a firmwareupgrade in the controller, for example. At 640, one or more securitymappings are stored. The mappings relate respective areas and/or modulesassociated with the controller 510 to one or more security layers fromthe security layer component 620. As can be appreciated, the mappings at640 can be associated with a plurality of policies and/or rules thatdefine when a respective mapping is active. In addition, a globalmapping can be configured, wherein any interaction with or through thecontroller 610 is defined in a global mapping region at 640 that canhave the effect of overriding other security mappings that may also bestored.

FIG. 10 is a system 700 illustrating a locking component in accordancewith the present invention. One or more remote systems 710 attemptinteraction with a controller 720 (or communications module interfacingto controller) over a network 724. At 730, a locking component isprovided that limits access to the controller 720. This can include alist 740 such as a subnet list of addresses that limit which remotesystems 710 can gain access to the controller 720. In other words, if acommunicating device address does not appear on the list 740, thenaccess to the controller is prevented. The locking component 730 canalso be utilized to create a LAN-locked network, whereby only devices ofa selected Local Area Network (LAN) are provided on the list 740 and allother network access such as through a public network is prevented. Thelocking component 730 can also contain exclusionary entries. Thus, onlythe devices or addresses included on the list 740 are excluded fromcommunicating with the controller 720.

Referring to FIG. 11, a protocol diagram 760 illustrates securityencapsulation aspects in accordance with the present invention. At 764,one or more of the encryption and/or tunneling protocols described above(e.g., IPSEC, SSL, PPP) are employed to encrypt or encapsulate aplurality of control protocols illustrated at 760 that may also interactwith a controller (not shown) via a network at 770. The controlprotocols at 760 can cooperate with higher-level network protocols suchas the Ethernet, TCP/IP, Internet and/or other network protocols. Asillustrated at 764, encryption or tunneling protocols can encapsulate ortransport remote network protocols such as OLE for Process Control DataExchange (OPC DX) protocols, OPC Data Access (DA) protocols, CIPprotocols such as ControlNet, DeviceNet, and/or include Client ServerProtocols (CSP). Other protocols that can be encrypted include serialprotocols such as RS-232/422/485 and/or DataHighway/DataHighway+(DH/DH+) control protocols.

FIG. 12 illustrates a security methodology 800 in accordance with thepresent invention. While, for purposes of simplicity of explanation, themethodology is shown and described as a series of acts, it is to beunderstood and appreciated that the present invention is not limited bythe order of acts, as some acts may, in accordance with the presentinvention, occur in different orders and/or concurrently with other actsfrom that shown and described herein. For example, those skilled in theart will understand and appreciate that a methodology couldalternatively be represented as a series of interrelated states orevents, such as in a state diagram. Moreover, not all illustrated actsmay be required to implement a methodology in accordance with thepresent invention.

FIG. 12 illustrates a methodology 800 to facilitate data access securitybetween a network device and a controller in accordance with an aspectof the present invention. At 810, a security store is read (e.g., atpower-up of controller) to determine a mapping or security configurationfor a controller. The mapping determines potential communicationsconfigurations that are to be negotiated with the controller in order togain access to the controller, including potential areas within thecontroller and/or associated modules that interact with the controller.At 814, a determination is made as to the number of security layers thatare associated with a respective mapping read at 810. For example, afirst mapping may have four security layers configured whereas a secondor subsequent mapping may have the same, or more or less than foursecurity layers configured. At 818, respective layers from 814 are readand associated with one or more security components that areconfigured/defined for the respective layer.

For example, one layer may define virus detection components. Asubsequent layer may define trust and/or encryption components. Anotherlayer may define a policy store and associated user-defined and/orsystem-related policies. Still yet another layer may define VPNcomponents and/or subnet lists/LAN-lock lists that define a sub-networkof communicating devices which can describe devices to be included orexcluded from communicating to the sub-network and/or private network(e.g., IP addresses that define or exclude communicating networkdevices). As described above, the mappings can include area definitionswithin the controller that are associated with different securitylayers. This can also include security mappings having variouslyconfigured layers for modules that communicate with and/or through thecontroller. At 822, communications are established with network devicesin accordance with the mappings, security layers and associated securitycomponents selected for the respective layers. This can include securitynegotiations such as establishing a trust, in accordance with configuredpolicies/rules, and/or employing one or more other security techniquessuch as encryption.

What has been described above are preferred aspects of the presentinvention. It is, of course, not possible to describe every conceivablecombination of components or methodologies for purposes of describingthe present invention, but one of ordinary skill in the art willrecognize that many further combinations and permutations of the presentinvention are possible. Accordingly, the present invention is intendedto embrace all such alterations, modifications and variations that fallwithin the spirit and scope of the appended claims.

1. An industrial control system, comprising: an industrial controllerthat communicates with a network; at least one security layer configuredin the industrial controller, the security layer associated with atleast one security component further comprising at least one of a trustcomponent to authenticate a trust relationship between a remote systemand the industrial controller, an encryption component to provide dataencryption, and a policy component to facilitate varying levels of dataaccess to the industrial controller, and including user interfaceediting parameters; 1 to M mappings that relate a plurality of securitylayers configured in the industrial controller to at least one securitycomponent per layer, the security layers are associated with at leastone of similar security components and dissimilar security components, Mbeing an integer; a security layer store to map security layers tosecurity components; an operating system to manage the at least onesecurity layer, the at least one security component stored in accordancewith the operating system and an associated memory subsystem; and aprocessor to execute the operating system, the processor limitscommunications from the network based in part on the configured securitylayer.
 2. The system of claim 1, the trust component includes at leastone of Public Key Infrastructure (PKI) component and an Internet KeyExchange (IKE) component.
 3. The system of claim 2, the trust componentincludes at least one of a certificate, a pre-shared key, and a Kerberosticket.
 4. The system of claim 1, the encryption component includes atleast one of an Internet Protocol Security (IPSEC) component, a Kerberoscomponent, a Secure Socket Layer (SSL), and a tunneling protocol.
 5. Thesystem of claim 4, the encryption protocol is employed to at least oneof authenticate and authorize at least one of a user and a device. 6.The system of claim 5, further comprising at least one of an IPSECdriver and a TCP/IP driver to transport the encryption protocol.
 7. Thesystem of claim 5, further comprising at least one of a Main mode and aQuick mode negotiation to perform authentication and authorization. 8.The system of claim 1, the policy component including at least one of asecurity parameter, at least one rule, at least one filter, a filterlist, an authentication method, a tunnel parameter, and a connectiontype.
 9. The system of claim 1, the policy component includes at leastone user-defined rule for at least one of permitting and denying accessto the industrial controller.
 10. The system of claim 9, theuser-defined rule includes at least one of time-based, location-based,user-based, and process-based rule.
 11. The system of claim 10, furthercomprising logical rules established for at least one of a selectedpolicy and combinations of policies, the logical rules include at leastone of AND, OR, NOT, BOOLEAN, and mathematical combinations.
 12. Thesystem of claim 1, the at least one security component including aVirtual Private Network (VPN) component to facilitate communicationswithin a private network.
 13. The system of claim 1, the at least onesecurity component including a virus detection component that includesat least one of a commercially available detection program and acustom-coded detection program.
 14. The system of claim 1, the mappingsfurther comprise at least one of security configurations relating to anarea and security configurations relating to a device associated withthe industrial controller.
 15. The system of claim 1, further comprisingat least one of, a security components store to store securitycomponents, and a security mappings store to relate the security layersto at least one of an area within the industrial controller and a moduleassociated with the industrial controller.
 16. The system of claim 1,the at least one security component includes a locking component to atleast one of grant and prevent access to the industrial controller. 17.The system of claim 16, the locking component includes a subnet listdescribing network addresses of devices.
 18. The system of claim 1, theoperating system comprising at least one of Windows, Windows NT, Linux,.NET, OS-9, UNIX, Windows CE, CE.NET, VxWorks and VRTX.
 19. The systemof claim 1, the encryption component is employed to at least one ofencapsulate and encrypt a control protocol.
 20. The system of claim 19,the control protocol includes at least one of a EtherNet/IP, DeviceNet,ControlNet, OPC DX, OPC DA, Data Highway, and Data Highway+ protocol.21. A method to facilitate secure data exchange in an industrialcontroller network, comprising: mapping at least one security component,based at least on encryption technology, that relates respective areasand/or modules associated with an industrial controller to at least onesecurity layer in the industrial controller, the mapping is associatedwith at least one policy and/or rule that define when the mapping isactive; associating a plurality of security layers to at least onesecurity component per layer through 1 to M mappings, the plurality ofsecurity layers are associated with at least one of similar securitycomponents or dissimilar security components, M is an integer; storing amapping as a configuration to define communications access to theindustrial controller, including potential areas within the industrialcontroller and/or associated modules that interact with the industrialcontroller; and communicating to the industrial controller in accordancewith the stored mapping.
 22. The method of claim 21, further comprisingmapping a trust component, an encryption component and a policycomponent.
 23. The method of claim 21, further comprising exchanging atleast one of a certificate, a pre-shared key, and a ticket to facilitatea trust.
 24. The method of claim 21, further comprising at least one ofauthenticating and authorizing an entity.
 25. The method of claim 24,further comprising a negotiation to perform authentication andauthorization.
 26. The method of claim 21, further comprising definingrules that include at least one of time-based, location-based,user-based, process-based, and logical-based combination rules.
 27. Themethod of claim 21, further comprising creating a private network acrossa public network to provide access to the industrial controller.
 28. Themethod of claim 21, further comprising detecting viruses on theindustrial controller.
 29. The method of claim 21, further comprisingsegmenting at least one of an area and a device associated with theindustrial controller in according to the mapping.
 30. The method ofclaim 21, further comprising configuring a locking component to at leastone of grant and prevent access to the industrial controller.
 31. Anindustrial control system, comprising: a plurality of remote devicescommunicating on a network; an industrial controller that communicateswith the remote devices; a plurality of security layers stored in theindustrial controller, the security layers associated with at least onesecurity component further comprising at least one of a trust componentto authenticate a trust relationship between a remote device and theindustrial controller, an encryption component to provide dataencryption, and a policy component to facilitate varying levels of dataaccess to the industrial controller and including user interface editingparameters; 1 to M mappings that relate a plurality of security layersconfigured in the industrial controller to at least one securitycomponent per layer, the security layers are associated with at leastone of similar security components and dissimilar security components, Mbeing an integer; a security layer store residing in the industrialcontroller to map security layers to security components; an operatingsystem to configure the security layers, the at least one securitycomponent stored in accordance with the operating system and anassociated memory subsystem; and a processor to execute the operatingsystem, the processor limits communications from the remote devicesbased in part on the configured security layers.